Although bank robberies are a perennial threat to banks, their employees and their customers, the increasingly sophisticated and accessible high-tech fraud tactics used by cyber criminals are a greater - and growing - threat to a bank's bottom line.

In a bank robbery, especially in the unusual case where the whole bank is taken hostage, a situation The Mechanics Bank encountered when its Point Richmond branch was robbed in November, the bank's main concern is safety. The amount of money taken typically is fairly small and will not dent a bank's bottom line. Further, bank robbers are apprehended in almost 58 percent of cases, according to Federal Bureau of Investigation statistics. Only murder has a higher rate of clearance by arrest.

That's a stark contrast to checking account fraud, which cost financial institutions $2.4 billion over one 12-month period that ended in 2004, according to a study by research firm Gartner Group. A portion of those losses was caused by "phishing," a scam in which crooks use fraudulent e-mails and Web sites in an effort to entice consumers to give up personal and account information. Since 2004, phishing attacks have grown exponentially.

Not only are the losses greater, it's also harder to catch a cyber thief; investigators often find themselves chasing a ghost who may have put up a fake Web site for just a couple of days. When it comes to financial losses, bad loans, unscrupulous employees, check fraud and identity theft are far more worrisome for banks than robberies.

That's not to say banks are not using the latest technology to deter or help catch bank robbers. Several banks are considering installing large monitors as a robbery deterrent. High-quality digital pictures taken by cameras at the Bank of Alameda were instrumental in the arrest of a trio of youths for a string of East Bay bank robberies that netted more than $300,000 - an above-average take - including the January and October robberies of the same Bank of Alameda branch, and the Mechanics Bank robbery. As a federal offense, the maximum penalty for bank robbery is 10 years; add a gun or dangerous weapon and a robber can face up to 25 years.

With nearly 7,000 bank offices throughout the state, California endures a disproportionate number of U.S. bank robberies. According to the FBI, in 2000, the 1,291 bank robberies in California were more than twice those of Florida, its closest competitor, and more than the number of robberies in the entire Northeast. The four robberies that led to the arrests this year were just the latest incidents in the Bay Area. Wells Fargo & Co. in Livermore, Bank of America in Fremont, Washington Mutual in Mountain View, Citibank in San Jose, Bank of America in Santa Clara, and a US Bank branch in a Dublin Safeway have all been victimized over the past two years.

Bank officials don't like to talk publicly about robbery. For one thing, the bank's reputation and the trust of its customers are on the line. Moreover, bank executives do not want to give the impression that a branch may be an easy target by publicly discussing the details of a robbery.

Some banks contacted for this story, including First Republic Bank, declined to talk about security, while two other banks would talk on background only. Wells Fargo, which, like Bank of America and Washington Mutual, is often targeted due to the sheer number of branches and tellers, agreed to discuss Internet security only and declined to comment on branch robberies.

While a bank customer would be hard-pressed to miss a robbery, cyber-crime is far more subtle - and the crooks are getting better all the time. Ninety percent of participants in a study conducted by researchers at UC-Berkeley and Harvard University were fooled by good phishing Web sites.

"A lot of attacks and frauds prey on customers' lack of knowledge - from lack of knowledge about domain name syntax to lack of knowledge about security and security indicators," said Jim Smith, executive vice president and managing head of the Internet Services Group at Wells Fargo.

More sophisticated software, greater levels of efficiency and automation, and the growing availability of "phishing kits" that allow people to easily set up a bogus Web site are driving the criminal activity.

The higher levels of sophistication are partly behind some of the shifts security experts are seeing in the patterns of phishing attacks. Frederick Felman, chief marketing officer at MarkMonitor Inc., a San Francisco fraud prevention and brand protection firm, said he has seen phishing attacks move from very broad attacks to more narrow targeted attacks on smaller banks and credit unions.

In 2005, for example, 26 percent of phishing attacks were against credit unions. Last year that percentage rose to 39 percent. MarkMonitor is also seeing a marked increase in the number of attacks against social networking, and job search and recruitment sites.

Financial institutions are by far the main target of phishing; 90 percent of phishing attacks in December were against financial services companies, according to the Anti-Phishing Working Group. Estimates of financial losses from phishing top $1 billion a year. Even the Federal Deposit Insurance Corp. is not safe from the attacks. On Feb. 22 the FDIC issued a special alert warning of fraudulent e-mail purportedly from the FDIC or security firm Verisign Inc. asking users to download an attached file to secure their Web sites.

Banks are fighting back by educating customers, training employees to watch for fraud and bolstering security; most banks use layered security and monitoring tools from a number of vendors. In response to regulatory guidance, banks are also implementing additional controls over the ways a customer accesses online accounts.

In addition to PINs and passwords, online customers may now have a token or card to access an account. In coming years, biometrics, from iris scans to hand geometry to voice prints or fingerprints, will become more common.

Implementing these various types of multi-factor authentication has been all-consuming for banks of late, said Chris Doner, CEO of Access Softek Inc., a Berkeley company whose products allow banks to offer multi-factor authentication. With more and more attacks coming from overseas - roughly 30 percent of the phishing attacks in December came from the Republic of Korea and from China - Doner said he expects to see a shift in the way people approach online fraud. That will entail moving more quickly to stem potential attacks.

"Anytime there is competition, the broader the territory from which you draw potential competitors the better they are," he said. "The same is true now" with fraudsters.

Phishing is not the only type of fraud that is growing more sophisticated. Mark Spillner, director of corporate security at Fremont Bank, said more checks are being stolen from mailboxes, "washed" or cleaned of ink, and then rewritten out to the thieves.

Forgery, which accounts for 24 percent of check fraud, is hard to detect.

"The most difficult thing on a forged check or third-party check is that so many systems are automated," said Abe Colman, an attorney with Reed Smith LLP in Los Angeles, whose clients include Citibank, Chase Manhattan Bank and California Bank & Trust. With millions of checks passing through the clearing systems of a major bank every day, "to stop the presses and review every single check is literally an impossible path. It would slow down the entire process."

Losses from check fraud at U.S. banks, including forgery, bounced checks, and counterfeit checks, stood at $677 million in 2003, according to data from the American Bankers Association. While that amount was a slight decrease from the $698 million in losses suffered in 2001, the number of check-fraud cases was up about three percent in 2003 to 616,469 cases.

Stolen checks can also provide crooks with real account and routing numbers that can be placed on other checks.

"I can remember when counterfeiting was done with an offset press machine," said Scott Saunders, Bank of the West director of corporate security. Now, a sophisticated counterfeit outfit can operate off a desktop computer with a $30 package of checks from an office supply store.

Staying ahead of the crooks does not come cheap. Fremont Bank bought 500 machines for its large merchant customers to detect checks that have been washed; the bank's tellers have them, too. Some other banks receive a list of checks issued by large customers that can be matched and cleared against incoming items. Check amounts that do not match will be rejected and examined separately.

When it comes to bank security, the methods have changed over the years, but crooks' interest in stealing bank assets seems higher than ever. When Wells Fargo was founded, in 1852, one of its primary means of protecting deposits and the gold the bank ferried was the shotgun rider who accompanied every Wells Fargo stagecoach. As Smith of Wells Fargo noted, today's shotgun rider resides in the bank's firewall and technology.